WHAT IS CLAIMED IS: 

1. An unauthorized access detection device for 
detecting unauthorized accesses over a network, 
5 comprising : 

unauthorized access scenario storage means for 
storing unauthorized access scenarios each defining a 
procedure of processes to be executed over the network 
until an unauthorized access is made through preparation; 

10 ongoing scenario storage means for storing ongoing 

scenarios by relating the ongoing scenarios to key data, 
the ongoing scenarios each indicating progress of 
processes executed over the network based on one of the 
unauthorized access scenarios, the key data 

15 differentiating processes associated with each of the 
ongoing scenarios from other processes; 

key data extraction means for obtaining a packet 
traveling on the network and extracting the key data from 
the packet obtained; 

20 ongoing scenario detection means for retrieving an 

ongoing scenario from the ongoing scenario storage means 
with the key data extracted by the key data extraction 
means as a search key; 

check means for determining whether execution of a 

25 process indicated by the packet after the ongoing scenario 
retrieved by the ongoing scenario detection means follows 
one of the unauthorized access scenarios being stored in 
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the unauthorized access scenario storage means; 

ongoing scenario update means for updating the 
ongoing scenario being stored in the ongoing scenario 
storage means when a check result of the check means shows 
5 that the execution follows the one of the unauthorized 
access scenarios; and 

report output means for outputting an unauthorized 
access report showing progress of processes executed based 
on the one of the unauthorized access scenarios , depending 
10 on the check result of the check means. 

2 . The unauthorized access detection device 
according to claim 1 , wherein the report output means 
outputs the unauthorized access report when the ongoing 

15 scenario retrieved by the ongoing scenario detection means 
reaches a final stage of the one of the unauthorized 
access scenarios. 

3 . The unauthorized access detection device 
20 according to claim 1, wherein: 

the ongoing scenario storage means stores a numeric 
value by relating the numeric value to the each of the 
ongoing scenarios, the numeric value indicating a degree 
of progress of the each of the ongoing scenarios; and 
25 the ongoing scenario update means updates the 

ongoing scenario by increasing the numeric value of the 
degree of progress. 
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4. The unauthorized access detection device 
according to claim 3 , wherein the report output means 
outputs the unauthorized access report when the degree of 

5 progress exceeds a prescribed value. 

5 . The unauthorized access detection device 
according to claim 1 , wherein : 

in the unauthorized access scenario storage means, 
10 roles are set to a source and a destination of information 
indicating a process to be executed over the network, in 
each of the unauthorized access scenarios; and 

the check means determines whether a source and a 
destination of the process indicated by the packet take 
15 the roles defined in the one of the unauthorized access 
scenarios . 

6 . The unauthorized access detection device 
according to claim 1 , wherein : 

20 a procedure of processes until an unauthorized 

access is made through preparation is defined in the form 
of state transitions with events as turning points in each 
of the unauthorized access scenarios being stored in the 
unauthorized access scenario storage means, the events 

25 generated at a time of instructions and responses of 
processes executed over the network; and 

the check means determines whether a state 
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transition to an event of the process indicated by the 
packet follows the one of the unauthorized access 
scenarios . 

5 7. The unauthorized access detection device 

according to claim 1 , wherein : 

valid periods for proceeding processes to next 
stages are set in each of the unauthorized access 
scenarios being stored in the unauthorized access scenario 
10 storage means; and 

the check means dietermines whether the process 
indicated by the packet is executed within the valid 
period. 

15 8 . The unauthorized access detection device 

according to claim 1 , wherein : 

weights to be added every time when a scenario 
progresses are defined in each of the unauthorized access 
scenarios being stored in the unauthorized access scenario 
20 storage means; and 

the report output means outputs the unauthorized 
access report when a total weight exceeds a prescribed 
value. 

2 5 9. An unauthorized access detection method for 

detecting unauthorized accesses over a network, comprising 
the steps of: 
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obtaining a packet traveling on the network and 
extracting prescribed key data from the packet obtained; 

retrieving an ongoing scenario from ongoing scenario 
storage means with the key data extracted from the packet 
5 as a search key, the ongoing scenario indicating progress 
of processes executed over the network based on an 
unauthorized access scenario, the unauthorized access 
scenario defining a procedure of processes to be executed 
over the network until an unauthorized access is made 
10 through preparation, the key data differentiating 
processes associated with the ongoing scenario from other 
processes ; 

checking unauthorized access scenario storage means 
storing the unauthorized access scenario to determine 
15 whether execution of a process indicated by the packet 
after the ongoing scenario retrieved follows the 
unauthorized access scenario; 

updating the ongoing scenario being stored in the 
ongoing scenario storage mans when a check result shows 
2 0 that the execution follows the unauthorized access 
scenario; and 

outputting an unauthorized access report indicating 
progress of processes executed based on the unauthorized 
access scenario, depending on the check result. 

25 

10. An unauthorized access detection program to 
detect unauthorized accesses over a network, the 
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unauthorized access detection program causing a computer 
to function as : 

unauthorized access scenario storage means for 
storing unauthorized access scenarios each defining a 
5 procedure of processes to be executed over the network 
until an unauthorized access is made through preparations; 

ongoing scenario storage means for storing ongoing 
scenarios by relating the ongoing scenarios to key data, 
the ongoing scenarios each indicating progress of 
10 processes executed over the network based on one of the 
unauthorized access scenarios, the key data 

differentiating processes associated with each of the 
ongoing scenarios from other processes; 

key data extraction means for obtaining a packet 
15 traveling on the network and extracting the key data from 
the packet obtained; 

ongoing scenario detection means for retrieving an 
ongoing scenario from the ongoing scenario storage means 
with the key data extracted by the key data extraction 
2 0 means as a search key; 

check means for determining whether execution of a 
process indicated by the packet after the ongoing scenario 
retrieved by the ongoing scenario detection means follows 
one of the unauthorized access scenarios being stored in 
2 5 the unauthorized access scenario storage means; 

ongoing scenario update means for updating the 
ongoing scenario being stored in the ongoing scenario 
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storage means when a check result of the check means shows 
that the execution follows the one of the unauthorized 
access scenarios; and 

report output means for outputting an unauthorized 
5 access report showing progress of processes executed based 
on the one of the unauthorized access scenarios, depending 
on the check result of the check means . 

11. A computer-readable recording medium storing an 
10 unauthorized access detection program to detect 
unauthorized accesses over a network, the unauthorized 
access detection program causing a computer to function 
as : 

unauthorized access scenario storage means for 
15 storing unauthorized access scenarios each defining a 
procedure of processes to be executed over the network 
until an unauthorized access is made through preparation; 

ongoing scenario storage means for storing ongoing 
scenarios by relating the ongoing scenarios to key data, 
2 0 the ongoing scenarios each indicating progress of 
processes executed over the network based on one of the 
unauthorized access scenarios, the key data 

differentiating processes associated with each of the 
ongoing scenarios from other processes; 
2 5 key data extraction means for obtaining a packet 

traveling on the network and extracting the key data from 
the packet obtained; 
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ongoing scenario detection means for retrieving an 
ongoing scenario from the ongoing scenario storage means 
with the key data extracted by the key data extraction 
means as a search key; 
5 check means for determining whether execution of a 

process indicated by the packet after the ongoing scenario 
retrieved by the ongoing scenario detection means follows 
one of the unauthorized access scenarios being stored in 
the unauthorized access scenario storage means; 

10 ongoing scenario update means for updating the 

ongoing scenario being stored in the ongoing scenario 
storage means when a check result of the check means shows 
that the execution follows the one of the unauthorized 
access scenarios; and 

15 report output means for outputting an unauthorized 

access report showing progress of processes executed based 
on the one of the unauthorized access scenarios, depending 
on the check result of the check means . 
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